==============

During surgery, sometimes X-Rays photo needs to be taken. To do that, the ventilation machine needs to be paused when the X-Ray is taken. The following is a simple example written for learning RT Maude.

Requirements

R1: Safety: The ventilation machine (VM) cannot be paused more than 2 seconds each time. And it cannot be paused more than once within 10 minutes.

R2.1: Usability: When a user pushes the take X-Ray button, the X-Ray machine (XM) will take a photo during the pause of the VM.
R2.2: When the button is pushed, X-Ray should be taken within 3 seconds    

============================================================
Assumptions

A1.1: VM, the computer (running the protocol), XM and network could crash at any arbitrary time.
A1.2: Each device works correctly unless it crashes
A1.3: Restarting a crashed device can take up to 1 min.
A1.4: Each devices mean-time-to-failure >> surgery time

A2.1: all the clocks are synchronized within 10 msec
A2.2: the max messaging end-to-end delay is 50 msec

A3: Persistent memory is available for the protocol to use.


============================================================
Interlock protocol for the computer
loop
block on (button_is_pushed signal);
check persistent memory for last_pause_time; if ((current_time C last_pause_time) < (10 min + 10 msec)) 
         {tell user to wait until (last_pause_time + 10 min + 10 msec);
         exit;}
 else {
     update last_pause_time in persistent memory to (current_time + 3 seconds);
     command VM to pause 2 seconds at current_time + 1 second;
     command XM to take a photo at current_time + 2 second;  } end-loop


Interlock protocol for VM
loop   
  Block on (pause command)
 {pause at (t + 1) for 2 seconds;}
endloop



Interlock protocol for XM
loop   
  Block on (x-ray command)
  {take x-ray at (t + 2);}
endloop
  



============================================================
We wish to check 

C1: Can the protocol meet the safety requirement R1, assuming that VM works? 

C2: Can the protocol meet the usability requirement R2, assuming that when the button is pushed at time t, the computer, XM, VM and network are working and continue to work for a duration of 3 seconds? Can RT Maude find out the tightest bound? 

C3: Does false-pause exist?  (A pause was recorded but it did not happen)

C4: Can any protocol eliminate false-pause and ensure safety within the giving constraints?
